Sometimes I have trouble controlling myself while in front of the computer and I tend to procrastinate a lot doing Internet surfing. Fortunately I do not need Internet for most of my work.

So I would like to have a way to completely disable networking on Linux. To enable it again I would need a USB stick which would act as a key.

Do you have any advice how one could go about implementing such a scheme? Ideally the enabling/disabling of networking should be as quick and automatic as possible. Also I would like a solution which, once implemented, is easy to set up on different machines.

EDIT: I have a similar set-up for my laptop, but it is not as automatic as I like. I simply delete all the wireless drivers and keep a copy of them on a USB stick. But this solution is not easily portable. So I am looking for ideas how to improve it.

How about an iptables rule that drops all packets for say 30min which can be activated with a key combination? You can combine this with the pomodoro technique. This has the advantage that you could theoretically enable single sites you need for work, e.g. an online dictionary.
–
MarcoMar 8 '13 at 14:55

I'm not sure I get what you propose. I have root access to my computer. So if I can set up iptables to drop packets, then I can also turn it off pretty easily. I have tried similar software solutions before. They work as long as you don't break them. But if you break them even once they become useless. The idea is to keep the USB key away from my office. So when I need internet I would have to fetch it, which would take me about 10 minutes. This should give me enough time to not act impulsively.
–
tzankoMar 8 '13 at 15:18

Is the connection on both machines wireless?
–
GeorgeMar 8 '13 at 15:58

I don't know what you're using to manage your connection (eg, "NetworkManager), but that must involve some configuration stuff or other files that would take more than 10 minutes to replace/reconfigure if you suddenly wanted to. So choose something alone those lines, disable/turn off your network daemon, and encrypt whatever piece (you could do this to the wireless driver) keeping the key on the usb stick. You could automate the process using a script and udev rules.
–
goldilocksMar 8 '13 at 17:39

I figured out a simple way to do what I wanted, so I will post it here as a reference to others that might need something similar.

As many people noted, if you have root access it is very difficult to restrict anything. So the idea is to restrict the root access. We can use the pam_usb module to do that. We can set up the computer in such a way that a USB-stick is required to log-in as root. See the tutorial on http://linuxconfig.org/linux-authentication-login-with-usb-device which explaines how.

When we no longer have unrestricted root access we can restrict or disable Internet/networking in various ways.

Since your requirements include root not being able to get around it, the best thing to do is probably to switch to a USB network interface. Or, alternatively, if you are using wired Ethernet, instead of a USB key, remove the Ethernet cable.

After getting your USB interface working, you'll have the disable the on-board interface. If its wireless, there is a reasonable chance that its actually a PCI-E card (trivial to remove). If not, you can try removing the antenna, that may be enough to stop it from working.

You could also disable your connection from the other end. E.g., add your MAC address to the router's blocklist. You could of course log back in to the router to re-enable it... but you'd need network access first, which you'd need to go to a different computer to have. Or, if hardwired, unplug your cable from the switch.

If someone else controls the network gear, you could talk to him/her, and see if you can get the restriction put in place on the router.

If you're the only one on the connection, you could also remove the router/modem/etc. Or just its power brick.

(If you really, really have to do this with software only, you could manage to lock down root by taking net admin out of the capabilities set, which would at least force you to reboot...)